Security Overview

Security is foundational to Echo: customers trust us with unreleased recordings, client work, and private conversations. This page summarizes the technical and organizational measures we use to protect Customer Content and account data. It is a plain-English overview, not a contractual commitment; contractual security terms live in our Data Processing Addendum.

• In transit: all traffic between your browser and Echo, and between Echo and its service providers, is encrypted using TLS 1.2 or higher.
• At rest: Customer Content and database records are encrypted at rest using industry-standard encryption provided by our infrastructure providers.

We follow the principle of least privilege. Access to production systems and customer data is restricted to the minimum set of personnel who need it to operate the service, is protected by strong authentication, and is reviewed periodically. Customer data is never accessed for any purpose other than operating the service, supporting you at your request, or meeting legal obligations.

Customer data is logically isolated on a per-customer basis. Every query and storage operation is scoped to the authenticated account, so one customer's projects, transcripts, and outputs are never visible to another.

Echo runs on established cloud infrastructure: application hosting and CDN on Vercel, and Postgres database hosting on Neon. AI processing is performed by Anthropic (text generation) and Deepgram (transcription), payments by Polar, and transactional email by Resend. Each provider operates its own audited security program, and each is bound by data protection terms with us. Customer Content is not used by us or our AI providers to train AI models.

We build with security in mind throughout the development lifecycle: code review before deployment, dependency monitoring for known vulnerabilities, secrets kept out of source control, and separation between development and production environments.

SOC 2 Type II — in progress. We are building our controls and evidence program toward a SOC 2 Type II examination and will update this page as that work progresses. We do not currently claim any held certification.

Our GDPR and international transfer commitments are documented in our Data Processing Addendum.

We maintain procedures for detecting, triaging, and responding to security incidents. If an incident affects your personal data, we will notify you without undue delay with the information you need for your own obligations, consistent with our DPA and applicable law.

We welcome reports from security researchers. If you believe you have found a vulnerability in Echo, email security@1labs.ai with enough detail for us to reproduce the issue. Please give us a reasonable opportunity to remediate before public disclosure, and do not access or modify data that is not yours. We will acknowledge reports promptly and keep you informed of remediation progress.

Account security is shared. Use a strong, unique password (or Google sign-in), keep your credentials private, and remove team members who no longer need access. Contact security@1labs.ai immediately if you suspect your account has been compromised.

This document is a working draft prepared for launch and is pending review by legal counsel.